Data carving

Data carving , or Raw file recovery is a very powerful way to extract files and data from a very corrupted media.

Raw recovery is reading files without reference to an operating system. This is required when the operating system has been very corrupted, changed, or the disk is very damaged. The technique can be applied to any type if disk that stores data on sector boundaries which includes camera memory as well as hard drives.

CnW Recovery software recovers raw files in two different ways

  • After a logical read of files, ie sectors that have not been used for files seen within the file system
  • or as a complete disk scan, extracting all such files. This will include space by files pointed to by the file system.

Extracting files from media, while ignoring the file structure is performed by looking for unique patterns in the data. Typically, the first few bytes of a file give a good indication, for instance all PK zip files start with the characters PK. The software has a (growing) list of such signatures built into the code. This then is the start of recovering such files. CnW Recovery goes much further than most recovery programs in that it will often generate a file name from meta data within the file. The list at the bottom of this page grows on a regular basis, so please contact us if a particular file type is required. Download the free demo program now and see the files that can be recovered.

How to read unallocated space?

With each logical reading function, eg NTFS, CD-ROM there is an option to read the unallocated space. The sequence is that the disk is read logically, and hence all used sectors are known. After this, all previously unread sectors are read, and each sector, or cluster is tested to see if it is a possible start of a file. This based on the first few characters of a file, and then sometimes some rather more extensive tests looking for a certain type of data. For NTFS disks, any file compression will be detected and automatically expanded. It does not matter if just one file is compressed, or all files compressed, they will be detected. It will even detect NTFS compressed files left behind on a FAT, MAC, or HPOFS disk .(This is more than many data recovery programs will achieve).

One issue with raw recovery is that the start of the file can be easy to detect, but often the length is not clear. CnW Recovery software will often continue adding to a file until a new unique start is found. In these cases a file can be shown as many MBs, although the actual data is only 100K. Fortunately, in many cases, an application will read this file, and ignore erroneous data at the end. As the CnW Recovery software develops, where possible, files will be stored at the correct length. With continuous files, extraction rates can be extremely high, with fragmented files, there can be major problems. However, automatic file carving routines are being added merge fragments of common types of files to produce a compete readable file.

With some file types, it is possible to determine if the data is still a valid data stream, and if incorrect data is detected, no more data will be added to the potential output file.

The following files types are detected by CnW Recovery software. The list does grow on a regular basis, and we are happy to add new file types if sent details, and examples. The number of file types being verified, and corrected is also increasing on a regular basis.

carving_options1

File carving

Many applications describe this process as file carving. However, CnW takes it a few stages further. One unusal, and very useful feature is the creation of meaningful file names and many files are verified for content structure and length. This gives a much higher success rate tha just a simple string match at the start of a file. For handling fragmented files, look at the sections on data carving and manual data carving

 

File names

In addition to the list below, various files are recognised by content, rather than signature. An example is Macintosh eMails. Again, this list will grow. For some file such as Jpegs, Docs, MP3, often it is possible to add some file name details such as date of file.

By scanning the complete disk, it is very common for multiple instances of a single file to be recovered. This is due to the operating system moving files, or as a result of a defrag operation. Fortunately, these duplicates can be removed by using the Deduplication feature in the log.

 

 File extension

Format

Notes

abc

Flow chart database file

 

ai

Adobe illustrator

 

aiff

Audio format

File length is determined from header

ani

Animated pointer file

 

atn

ATN files

 

avi

Audio Visual movie files

File length is determined from header, and file validated Fragmented files can be recovered

bmp

BMP Bitmap file

The recovered file is set to correct length, based on information in the header

cab

CAB files

Used for software distribution by Microsoft

cam

Casio camera

 

cbd

 

 

crw

Canon Raw Files

Will add name and correct file size

csv

Comma separated files

 

cur

Cursor file

 

dbf

DBase file

 

dbx

Outlook Express

 

dcm

Dicom medical images

 

doc

Microsoft Word

Many compound documents have the same signature, so there can be false matches. Files start D0 CF 11 E0 etc

Will extract date and title

doc

Word 2

Many programs produce DOC files

docx

Office 2007 files

The files are part of a Zip file

drw

Micrografx designer format

 

emf

Enhanced meta file

 

exe

Microsoft EXE

 

fm3

FM3 files

 

fmt

Printer driver

 

fon

Font file

 

fp7

Filemaker Pro 7

 

gif

GIF graphics file

 

hlp

Help file

 

hlp

Help files

 

hqx

BinHex for Macintosh

 

htm

HTML file

 

ifo

IFO file from DVD video

 

indx

INDX files from NTFS

These are index files from the NTFS directory

jpeg

JPEG, picture files

Checked for validity. Adds date and camera name to file name, and verifies file length.Joins fragments

lha

LHA compression program

 

lnk

Link files from Windows

 

mdb

Access database file

 

mft

NTFS Master File table blocks

This is not a format, but system data

mmm

Multimedia Movie file

 

mov

MOV movie files

File length of some versions is determined from header

mp3

MP3 audio files

Name is created from title

mp4

MP4 Audio files

Name is created from title

mpeg

Video MPEG files

 

msc

MSC file

 

msi

Microsoft installer

 

nb7

NovaBack V 7

 

nsf

Lotus Notes

 

orf

Olympus Raw image files

Date extracted

pcx

Paintbrush file

 

pdf

Adobe Portable Document File

File name sometimes extracted

ppd

Printer description file

 

psd

Photoshop file

 

pst

Outlook express file

File length determined from header

qdf

Quicken accounts package

 

rmi

MIDI sequence file

 

scf

Symphony spell checker

 

tif

TIFF files

Both Intel and Motorola are detected. The file dates is added to name, and the length is verified

url

Internet Shortcuts

Name extracted from URL

wav

Audio sound file

 

wb1

webshots image

 

wdp

Windows media photo

New Microsoft graphics format

wk3

Lotus spreadsheet

 

wk4

Lotus spreadsheet

 

wks

Lotus 123 spreadsheet

 

wmf

Windows Metafile - graphics

 

wmv

Wave sound files

 

wp5

Word Perfect 5

 

wpl

WPL file

 

xlb

Excel database extension file

 

xls

Excel spreadsheet

 

xlsx

Excel 2007

2007 Excel file

xml

XML File

 

zip

PK Zip and Winzip files

Name determined from first file in archive. In a corrupted Zip archive, complete files are extracted and stored in a new Zip file
[CnW Recovery] [Downloads] [Purchase Now] [User Manual] [Wizard] [Main menu] [Partitions] [Logs] [Hard drive recovery] [NTFS data recovery] [FAT data recovery] [exFAT] [CD ROM data recovery] [Data carving] [Photo Recovery] [Damaged disks] [Fragm'ted Files] [File Filter] [Deduplication] [Camcorder Disk] [File validation] [Deleted file recovery] [Macintosh] [Unix Recovery] [MTF .BKF] [CD and DVD output] [What will it do?] [Product Details] [Forensic DR] [FAQ & Links] [Case Studies] [Technical Notes] [Demo videos] [Updates] [Development] [Testimonials] [Site Map] [Contact Us]